TimThumb.php Attacks – Now Being Used for Blackhat Spam SEO and Might Break Your Site

We have been talking a lot lately about the Timthumb.php vulnerability and the importance of updating that script as soon as possible. Sites that didn’t update it are getting compromised very easily. We explained it in more detail here: Mass infection of WordPress sites because of TimThumb.php.

What we are seeing now is sites getting compromised to load links for blackhat seo purposes. They have their wp-settings.php modified with the following code:

It’s very dynamic, always changing. So in addition to having malware and infecting your users, you could be helping the attackers with page rank as well.

What is interesting is that on some sites the attackers are not only attempting to infect, but are doing it incorrectly leaving some extra lines at the bottom of the wp-settings.php, causing the sites to fail with this error:

Warning: Cannot modify header information – headers already sent by (output started at /home/site/public_html/wp-settings.php:310) in /home1/site/public_html/wp-includes/pluggable.php on line 890

So if you have this warning (headers already sent by (output started at /home/site/public_html/wp-settings.php:310) on your site, it means you are likely compromised as well.

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.